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Where I work 



LANGLEY FORMAL METHODS 


► “Formal Methods" refers to mathematically rigorous 
techniques and tools for the specification, design and 
verification of software and hardware systems. 

► Formal methods provide a means to symbolically examine the 
entire state space of a digital design (hardware or software) 
and establish correctness or safety properties that are true for 
all possible inputs. 
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What I do 



Welcome to the PVS Specification 
and Verification System 


► PVS is a tightly coupled specification language and 
interactive theorem-prover used extensively by the formal 
methods group. 
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Termination in PVS 


Prove termination in two steps. 

► Provide a function on the inputs into a well-founded order. (A 
WFO is a set S and a relation < with no infinite decreasing 
chain.) 

► Show that every recursive call “lowers” the value of the 
function. 
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An Example 


For m, n € N, let 


Ack(m, n) 


= 


n + 1 
Ack(m — 
Ack(m — 


1 , 1 ) 

l,Ack(m , n — 1)) 


if m = 0 

if m > 0 and n = 0 
otherwise. 
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An Example 


For m, n € N, let 


Ack(m, n) 


n + 1 

< Ack(m — 1, 1) 

Ack(m — l,Ack(m , n — 1)) 


if m = 0 

if m > 0 and n = 0 
otherwise. 


Three calls, so need some measure where: 

► (m,n) > (m- 1,1), 

► (m, n) > (m — 1, Ack(m , n — 1)), 

► (m, n) > (m, n — 1). 

Lexicographic order on pairs works... 
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The Size Change Principle 


“A program teminates on all inputs if any infinite call sequence 
would give rise to an infinite descent in some (well-founded) data 
values.” [Lee, Jones, Ben-Amram] 


Ack(0, Ack(l,2)) - 


Ack{2, 1) ' 


Ack(l,Ack(2,0)) - 


Ack(2, 0) - 


- Ack(l, 2) 



- Ack(l, 1) — 


- Ack(l, 0) - 


Ack(0,Ack{l,0)) 3 

Ack(l, 0) Ack(0, 1) 2 

_ Ack(0,Ack(l,0)) 3 

Ack(0, 1) 2 
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Calling Context Graph for Ackermann 


Ack(m , n) 


n + 1 

< Ack(m — 1, 1) 

Ack(m — l,Ack(m, n — 1)) 


if m = 0 

if m > 0 and n = 0 
otherwise. 


Three calling contexts: 

1. {(m, n), (m > 0 A n = 0), (m — 1, 1)} 

2. {(m, n),(m > 0 A n > 0),(m — 1, Ack(m, n — 1))} 

3. {( m , n), (m > 0 A n > 0), (m, n — 1)} 
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Calling Context Graphs 


(Very informally,) 

"If every infinite walk on the CCG of a function results in the 
infinite descent of some well-founded measure, then the function 
terminates on all inputs.” [Manolios and Vroon] 
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Matrix Weighted Digraphs [Avelar, Munoz, Rincon] 


A framework built on CCGs to efficiently handle several 


measures. 
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Matrix Weighted Digraphs [Avelar, Munoz, Rincon] 


A framework built on CCGs to efficiently handle several measures. 

► Each edge from a CCG is assigned an N x N matrix with 
entries in {—1, 0, 1}. 

► Matrix multiplication is standard, but with a non-standard 
operations on elements. 

► The weight of a walk on the graph is the product of the 
matrices on the edges. 

► A matrix is called positive if it has a 1 entry on the main 
diagonal. 
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A Theorem and a Problem 


Theorem (Avelar, Munoz, Rincon) 

If every circuit of a Matrix-Weighted Digraph has positive weight, 
then the corresponding program terminates on all inputs. 


28th Cumberland Conference on Combinatorics, Graph Theory & Computing 


16 


A Theorem and a Problem 


Theorem (Avelar, Munoz, Rincon) 

If every circuit of a Matrix-Weighted Digraph has positive weight, 
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A Theorem and a Problem 


Theorem (Avelar, Munoz, Rincon) 

If every circuit of a Matrix-Weighted Digraph has positive weight, 
then the corresponding program terminates on all inputs. 

Problem: There are infinitely many circuits, and circuits can be 

arbitrarily long. How can this be checked? 
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One Solution 


Theorem 

It suffices to examine a finite collection of circuits. 
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One Solution 


Theorem 

It suffices to examine a finite collection of circuits. 

Specifically, if G is the matrix weighted digraph, and the matrices 
are N x N, checking circuits with length at most 3 n2 \G\ + 1 
suffices. 

Proof. 


O 
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It suffices to examine a finite collection of circuits. 

Specifically, if G is the matrix weighted digraph, and the matrices 
are N x N, checking circuits with length at most 3 n2 \G\ + 1 
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Proof. 
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A Process 


Idea: 

► Let S; = {L v \v E G}, where L v contains all matrices that are 
the weight of some circuit at v with length at most i. 
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A Process 


Idea: 

► Let S; = {L v \v E G}, where L v contains all matrices that are 
the weight of some circuit at v with length at most i. 

► Start with empty lists for Sq. 
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A Process 


Idea: 

► Let S; = {L v \v E G}, where L v contains all matrices that are 
the weight of some circuit at v with length at most i. 

► Start with empty lists for So- 

► Calculate S/+ 1 from S/. 
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A Process 


Idea: 

► Let S; = {L v \v E G}, where L v contains all matrices that are 
the weight of some circuit at v with length at most i. 

► Start with empty lists for So- 

► Calculate S /+ 1 from 5;. •(— The hard part. 
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The Hard Part 


Given a cycle at v, instead of multiplying matrices only from the 
edges, for each vertex u on the cycle, include a matrix from L u . 
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The Hard Part 


Given a cycle at v, instead of multiplying matrices only from the 
edges, for each vertex u on the cycle, include a matrix from L u . 
Simulates following a circuit at u. 



L u = {M 2 , M 4 , M s ...} 
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The Hard Part 


Given a cycle at v, instead of multiplying matrices only from the 
edges, for each vertex u on the cycle, include a matrix from L u . 
Simulates following a circuit at u. 



L u = {M 2 , M 4 , M s ...} 


Append the result to L v . Do this for every vertex, cycle at the 
vertex, and choice of matrices at vertices of the cycle. 
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An Optimization 


The lists L v can get long, making the calculation of S/+ 1 slow. We 
can do better. 
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An Optimization 


The lists L v can get long, making the calculation of S/+ 1 slow. We 
can do better. 

► Matrices form a partial order under pointwise < . 

► Multiplication respects the partial order. 
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An Optimization 


The lists L v can get long, making the calculation of S/+ 1 slow. We 
can do better. 

► Matrices form a partial order under pointwise < . 

► Multiplication respects the partial order. 

Instead of keeping all matrices in L v , keep only those minimal with 
respect to this partial order. 
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Early Exits 


A few properties of the (optimized) process. 
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Early Exits 


A few properties of the (optimized) process. 

► If the process ever results in a non-positive matrix, it can quit. 
(Failed to prove termination...) 
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Early Exits 


A few properties of the (optimized) process. 

► If the process ever results in a non-positive matrix, it can quit. 
(Failed to prove termination...) 

► If ever S; + i = 5/, then every further iteration will equal S/. 
(Stabilization...) 
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Early Exits 


A few properties of the (optimized) process. 

► If the process ever results in a non-positive matrix, it can quit. 
(Failed to prove termination...) 

► If ever S; + i = 5/, then every further iteration will equal S/. 
(Stabilization...) 

► The process will always stabilize. (At worst 3 w2 |G| + 1 
iterations.) 
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Terminal Remarks 


In practice, the process always stabilizes early. 
Example 

For Ack(m, n), let n) = m and n) = n. 
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Terminal Remarks 


In practice, the process always stabilizes early. 
Example 

For Ack(m , n), let n) = m and /X 2 (m, n) = n. 

The guarantee is 3 5 + 1 = 244 iterations. 
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Terminal Remarks 


In practice, the process always stabilizes early. 
Example 

For Ack(m , n), let n) = m and /X 2 (m, n) = n. 

The guarantee is 3 5 + 1 = 244 iterations. 

The process stabilizes after 2 iterations. 


28th Cumberland Conference on Combinatorics, Graph Theory & Computing 


39 


Thanks! 
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